Upload
truongnhi
View
216
Download
0
Embed Size (px)
Citation preview
�
Dang Thanh Binh
� Differentiate among various systems’ security threats:
� Privilege escalation
� Virus
� Worm
� Trojan
� Spyware
� Spam
� Adware
� Rootkits
� Botnets
� Logic bomb
� Implement security applications.
� Differentiate between the different ports and protocols, theirrespective threats and mitigation techniques.
� Antiquated protocols
� TCP/IP hijacking
� Null sessions
� Spoofing
� Man-in-the-middle
� Replay
� DoS
� DDoS
� Domain Name Kiting
� DNS poisoning
� Explain the vulnerabilities and mitigations associated
with network devices.
� Privilege escalation
� Weak passwords
� Back doors
� DoS
� Carry out vulnerability assessments using common tools.
� Vulnerability scanners
� Password crackers
� Attack Strategies
� Recognizing Common Attacks
� Identifying TCP/IP Security Concerns
� Understanding Software Exploitation
� Surviving Malicious Code
� Other Attacks and Frauds
� Access attack, someone who should not be able to
wants to access your resources. Its purpose is to gain
access to information that the attacker isn’t authorized to
have
� Modification and repudiation attack, someone wants
to modify information in your systems
� Denial-of-service (DoS) attack
� Eavesdropping
� Eavesdropping is the process of listening in on or overhearing
parts of a conversation, including listening in on your network
traffic
� This type of attack is generally passive
� Snooping
� Occurs when someone looks through your files hoping to find
something interesting
� The files may be either electronic or on paper
� Interception can be either an active or a passive
process
� Intercept (v): to stop something or someone that is going from
one place to another before they get there
� In a networked environment, a passive interception would
involve someone who routinely monitors network traffic.
� Active interception might include putting a computer system
between the sender and receiver to capture information as it’s
sent. The process is usually covert.
� Intercept missions can occur for years without the knowledge of
the parties being monitored.
� Modification attacks involve the deletion, insertion, or
alteration of information in an unauthorized manner that
is intended to appear genuine to the user
� They’re similar to access attacks in that the attacker
must first get to the data on the servers, but they differ
from that point on.
� The motivation for this type of attack may be to plant
information, change grades in a class, fraudulently
alter credit card records, or something similar.
� Website defacements are a common form of
modification attack.
� Repudiation attack is a variation of modification attacks
� repudiate / rɪpjudieɪt /
� to refuse to accept or continue with something
� to state or show that something is not true or correct
� Repudiation attacks make data or information appear to
be invalid or misleading.
� Repudiation attacks are fairly easy to accomplish
because most e-mail systems don’t check outbound mail
for validity.
� Repudiation attacks, like modification attacks, usually
begin as access attacks.
� Denial-of-Service
� DoS attacks prevent access to resources by users
authorized to use those resources
� Most simple DoS attacks occur from a single system
� Types of DoS attacks:
� ping of death
� buffer overflow
� Requires a powerful transmitter � Distributed Denial-of-Service Attacks
� Multiple computer systems used to conduct the attack
� Zombies
� Botnet: the malicious software running on a zombie
� How to face with Denial attacks?
� Attack Strategies
� Recognizing Common Attacks
� Identifying TCP/IP Security Concerns
� Understanding Software Exploitation
� Surviving Malicious Code
� Other Attacks and Frauds
� Back doors?
� A spoofing attack is an attempt by someone or
something to masquerade as someone else.
� IP spoofing and DNS spoofing
� This type of attack is also an access attack, but it can be
used as the starting point for a modification attack
� Places a piece of software between a server and the
user.
� The attacker captures the information and replay it later.
� The information can be username, passwords,
certificates from authentication systems such as
Kerboros.
Captured passwords
projected on the wall
at DEFCON
� Solutions: Certificates usually contain a unique session
identifier and a time stamp.
� Records cookies and replays them
� This technique breaks into Gmail accounts
� Technical name: Cross Site Request Forgery
� Almost all social networking sites are vulnerable to this
attack
� Facebook, MySpace, Yahoo, etc.
� Brute-force attack.
� Dictionary attack
� Hybrids: mixing the two above techniques
� Privilege escalation can be the result of an error on an
administrator’s part in assigning too high a permission
set to a user, but it’s more often associated with bugs left
in software.
� Cheat codes in video games.
� Attack Strategies
� Recognizing Common Attacks
� Identifying TCP/IP Security Concerns
� Understanding Software Exploitation
� Surviving Malicious Code
� Other Attacks and Frauds
� Network Access = OSI layers 1 & 2, defines LAN
communication, what do I mean by that?
� Network = OSI layer 3 – defines addressing and routing
� Transport/Host to Host = OSI layer 4, 5 – defines a
communication session between two applications on one
or two hosts
� Application = OSI layers 6,7 the application data that is
being sent across a network
� Maps to Layer 1 and 2 of the OSI model
� The Level that a Network Interface Card Works on
� Source and Destination MAC addresses are used
defining communications endpoints
� Protocols include
� Ethernet
� Token Ring
� FDDI
� Routing, IP addressing, and packaging
� Internet Protocol (IP) is a routable protocol, and it’s
responsible for:
� IP addressing.
� fragments and reassembles message packets
� only routes information; doesn’t verify it for accuracy(Accuracy
checking is the responsibility of TCP)
� Maps to layer 4 and 5 of the OSI model
� Concerned with establishing sessions between two
applications
� Source and destination endpoints are defined by port
numbers
� The two transport protocols in TCP/IP are TCP and UDP
� Connection oriented “guaranteed” delivery.
� Advantages
� Easier to program with
� Truly implements a “session”
� Adds security
� Disadvantages
� More overhead / slower
� Connectionless, non-guaranteed delivery (best effort)
� Advantages
� Fast / low overhead
� Disadvantages
� Harder to program with
� No true sessions
� Less security
� A pain to firewall (due to no connections)
� Most programs, such as web browsers, interface with
TCP/IP at this level
� Protocols:
� Hypertext Transfer Protocol (HTTP)
� File Transfer Protocol (FTP)
� Simple Mail Transfer Protocol (SMTP)
� Telnet
� Domain Name Service (DNS)
� Routing Information Protocol (RIP)
� Post Office Protocol (POP3)
� Encapsulate
� to express or show something in a short way
� to completely cover something with something else, especially in
order to prevent a substance getting out
� Port Mirroring
� Sniffing the Network
� TCP Attacks
� A device that captures and displays network traffic
� The client and server exchange information in TCP
packets
� The TCP client sends an ACK packet to the server
� ACK packets tell the server that a connection is requested
� Server responds with an ACK packet
� The TCP Client sends another packet to open the
connection
� Instead of opening the connection, the TCP client
continues to send ACK packet to the server.
� TCP sequence number attacks occur when an attacker
takes control of one end of a TCP session
� Each time a TCP message is sent, either the client or the server
generates a sequence number
� The attacker intercepts and then responds with a sequence
number similar to the one used in the original session
� Disrupt or hijack a valid session
� Rogue access points
� Rogue: not behaving in the usual or accepted way and often
causing trouble
� Employees often set up home wireless routers for convenience
at work
� This allows attackers to bypass all of the network security and
opens the entire network and all users to direct attacks
� An attacker who can access the network through a rogue access
point is behind the company's firewall
�Can directly attack all devices on the network
� War driving
� Beaconing
�At regular intervals, a wireless AP sends a beacon frame to
announce its presence and to provide the necessary information for
devices that want to join the network
� Scanning
�Each wireless device looks for those beacon frames
� Unapproved wireless devices can likewise pick up the beaconing
RF transmission
� Formally known as wireless location mapping
� Bluetooth
� A wireless technology that uses short-range RF transmissions
� Provides for rapid “on the fly” and ad hoc connections between
devices
� Bluesnarfing
� Stealing data through a Bluetooth connection
� E-mails, calendars, contact lists, and cell phone pictures and
videos, …
� Attack Strategies
� Recognizing Common Attacks
� Identifying TCP/IP Security Concerns
� Understanding Software Exploitation
� Surviving Malicious Code
� Other Attacks and Frauds
� Database exploitation� If a client session can be hijacked or spoofed, the attacker can
formulate queries against the database that disclose unauthorizedinformation.
� Application exploitation
� E-mail exploitation
� Spyware
� Rather than self-replicating, like viruses and worms, spyware isspread to machines by users who inadvertently ask for it
� Rootkits� Enables continued privileged access to a computer, while actively
hiding its presence from administrators by subverting standardoperating system functionality or other applications
� Attack Strategies
� Recognizing Common Attacks
� Identifying TCP/IP Security Concerns
� Understanding Software Exploitation
� Surviving Malicious Code
� Other Attacks and Frauds
� Armored Virus
� designed to make itself difficult to detect or analyze
� Companion Virus
� A companion virus attaches itself to legitimate programs and
then creates a program with a different filename extension
� Macro Virus
� a set of programming instructions in a language such as
VBScript that commands an application to perform illicit actions
� Multipartite Virus: attacks the system in multiple ways
� Phage Virus
� Modifies and alters other programs and database
� The only way to remove this virus is to reinstall the programs that
are infected
� Polymorphic Virus
� Change form in order to avoid detection
� Frequently, the virus will encrypt parts of itself to avoid detection
� Stealth Virus
� Attempts to avoid detection by masking itself from applications
� Logic bombs are programs or snippets of code that
execute when a certain predefined event occurs.
� Attack Strategies
� Recognizing Common Attacks
� Identifying TCP/IP Security Concerns
� Understanding Software Exploitation
� Surviving Malicious Code
� Other Attacks and Frauds
� Connections to a Microsoft Windows 2000 or Windows
NT computer with a blank username and password
� Attacker can collect a lot of data from a vulnerable
system
� Cannot be fixed by patches to the operating systems
� Much less of a problem with modern Windows versions,
Win XP SP2, Vista, or Windows 7
� Check kiting
� A type of fraud that involves the unlawful use of checking
accounts to gain additional time before the fraud is detected
� Domain Name Kiting
� Registrars are organizations that are approved by ICANN to sell
and register Internet domain names
� A five-day Add Grade Period (AGP) permits registrars to delete
any newly registered Internet domain names and receive a full
refund of the registration fee
� Unscrupulous registrars register thousands of Internet
domain names and then delete them
� Recently expired domain names are indexed by search
engines
� Visitors are directed to a re-registered site
� Which is usually a single page Web with paid advertisement
links
� Visitors who click on these links generate money for the
registrar
� Used to manage switches, routers, and other network
devices
� Early versions did not encrypt passwords, and had other
security flaws
� But the old versions are still commonly used
� DNS is used to resolve domain names like www.ccsf.edu
to IP addresses like 147.144.1.254
� DNS has many vulnerabilities
� It was never designed to be secure
� Put false entries into the Hosts file
� C:\Windows\System32\Drivers\etc\hosts
� Attacker sends many spoofed DNS responses
� Target just accepts the first one it gets
� Intended to let a new DNS server copy the records from
an existing one
� Can be used by attackers to get a list of all the machines
in a company, like a network diagram
� Usually blocked by modern DNS servers
� Antispyware software will warn you when the hosts file is
modified
� Using updated versions of DNS server software prevents
older DNS attacks against the server
� But many DNS flaws cannot be patched
� Eventually: Switch to DNSSEC (Domain Name System
Security Extensions)
� But DNSSEC is not widely deployed yet, and it has its own
problems
� ARP is used to convert IP addresses like 147.144.1.254
into MAC addresses like 00-30-48-82-11-34